Need ability to expire logs with more granularity than #days.

Description

There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are.

Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`.

Environment

None

Activity

Show:
Adam Slagell
January 19, 2016, 7:02 PM

Justin, can you merge this this week?

Justin Azoff
January 19, 2016, 7:11 PM

Will do.

Justin Azoff
January 20, 2016, 6:38 PM

This change looks good but I have one suggestion. I could see someone changing the option to "12hours" and getting this message

value of broctl option "logexpireinterval" is invalid: 12hours

but being confused about WHY it is invalid. Something like this could help with that:

"value of broctl option "logexpireinterval" is invalid: "12hours". Only time units "day", "hr", and "min" are
recognized"

It might also be a good idea to just in add "hours" and "minutes" as valid units to begin with.

Daniel Thayer
January 20, 2016, 7:35 PM

In order to avoid confusion, I kept the unit specifiers the same as what's allowed in Bro scripts.
I've now made the error message more verbose.

Justin Azoff
January 20, 2016, 7:41 PM

Ah! I bet that is where I have ran into this. Bro throws a syntax error if you try to use a duration of 'hours' or 'minutes'.

Assignee

Justin Azoff

Reporter

Seth Hall

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Low
Configure